DATA PROTECTION BOARD DECLARES THE MEASURES TO BE COMPLIED WITH WHEN PROCESSING SENSITIVE PERSONAL DATA

Client Alert:

Turkish Data Protection Board’s ("DPB") decision no. 2018/10 (“Decision”) has been published in the Official Gazette no. 30353 dated 7 March 2018. This long-awaited decision clarifies the adequate measures to be taken by the data controllers for processing sensitive personal data and is expected to significantly affect how data controllers handle such data in daily operations.

Information in relation to “race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing , membership to associations, foundations or trade-unions, health, sexual life, criminal convictions and security measures” and “biometric and genetic data” falls under the term “Sensitive Personal Data”, processing of which are subject to the measures specified in the Decision.

The Decision lists the measures under five categories, a summary of each can be found below:

Policies and Procedures: In order to ensure the security of sensitive personal data, data controllers must establish systemized, manageable, and sustainable policies and procedures, with clearly defined rules.

Employees: Data controllers must implement certain measures in relation to their employees who process sensitive personal data, which includes providing training and executing confidentiality agreements.

Electronic Systems: Some of the measures data controllers are expected to take are preserving the data using cryptographic methods, applying user-authorization restrictions, and securely logging the activity records.

Physical Filing Systems: Data Controllers should ensure that adequate security measures are taken in accordance with the nature of the environment in which sensitive personal data are stored.

Transfers: The Decision sets out specific measures to be implemented for transfer of sensitive personal data. For instance, in order to transfer personal data between two servers residing in distinct locations, a VPN or sFTP connection must be established between such servers beforehand.

The Decision also makes reference to the DPB’s guidance on data security (available as PDF, in Turkish) and indicates that the measures listed therein should be taken into consideration as well.

Further Developments

On a side note, we would like to mention that “Communiqué on the Procedures and Principles of Application to Data Controller” and “Communiqué on the Procedures and Principles of the Obligation to Inform” were published in the Official Gazette no. 30356 dated 10 March 2018, providing guidance on data subject requests and notices to be provided to the data subjects.